Cyberattacks exploiting gaps in cloud infrastructure — to steal credentials, identities and data — skyrocketed in 2022, growing 95%, with cases involving “cloud-conscious” threat actors tripling year-over-year. That’s according to CrowdStrike’s 2023 Global Threat Report.
The report finds bad actors moving away from deactivation of antivirus and firewall technologies, and from log-tampering efforts, seeking instead to “modify authentication processes and attack identities,” it concludes.
Today, identities are under siege across a vast threatscape. Why are identities and privileged access credentials the primary targets? It’s because attackers want to become access brokers and sell pilfered information in bulk at high prices on the dark web.
CrowdStrike’s report provides a sobering look at how quickly attackers are reinventing themselves as access brokers, and how their ranks are growing. The report found a 20% increase in the number of adversaries pursuing cloud data theft and extortion campaigns, and the largest-ever increase in numbers of adversaries — 33 new ones found in just a year. Prolific Scattered Spider and Slippery Spider attackers are behind many recent hiigh-profile attacks on telecommunications, BPO and technology companies.
Attacks are setting new speed records
Attackers are digitally transforming themselves faster than enterprises can keep up, quickly re-weaponizing and re-exploiting vulnerabilities. CrowdStrike found threat actors circumventing patches and sidestepping mitigations throughout the year.
The report states that “the CrowdStrikeFalcon OverWatch team measures breakout time — the time an adversary takes to move laterally, from an initially compromised host to another host within the victim environment. The average breakout time for interactive eCrime intrusion activity declined from 98 minutes in 2021 to 84 minutes in 2022.”
CISOs and their teams need to respond more quickly, as the breakout time window shortens, to minimize costs and ancillary damages caused by attackers. CrowdStrikes advises security teams to meet the 1-10-60 rule: detecting threats within the first minute, understanding the threats within 10 minutes, and responding within 60 minutes.
Access brokers make stolen identities into best sellers
Access brokers are creating a thriving business on the dark web, where they market stolen credentials and identities to ransomware attackers in bulk. CrowdStrike’s highly regarded Intelligence Team found that government, financial services, and industrial and engineering organizations had the highest average asking price for access. Access to the academic sector had an average price of $3,827, while the government had an average price of $6,151.
As they offer bulk deals on hundreds to thousands of stolen identities and privileged-access credentials, access brokers are using the “one-access one-auction” technique, according to CrowdStrike’s Intelligence Team. The team writes, “Access methods used by brokers have remained relatively consistent since 2021. A prevalent tactic involves abusing compromised credentials that were acquired via information stealers or purchased in log shops on the criminal underground.”
Access brokers and the brokerages they’ve created are booming illegal businesses. The report found more than 2,500 advertisements for access brokers offering stolen credentials and identities for sale. That’s a 112% increase from 2021.
CrowdStrike’s Intelligence Team authors the report based on an analysis of the trillions of daily events gathered from the CrowdStrike Falcon platform, and insights from CrowdStrike Falcon OverWatch.
The findings amplify previous findings from CrowdStrike’s Falcon OverWatch threat hunting report that found attackers, cybercriminal gangs and advanced persistent threats (APTs) are shifting to the malware-free intrusion activity that accounts for up to 71% of all detections indexed in the CrowdStrike threat graph.
Cloud infrastructure attacks starting at the endpoint
Evidence continues to show cloud computing growing as the playground for bad actors. Cloud exploitation grew by 95%, and the number of cases involving ”cloud-conscious” threat actors nearly tripled year-over-year, by CrowdStrike’s measures.
“There is increasing evidence that adversaries are growing more confident leveraging traditional endpoints to pivot to cloud infrastructure,” wrote the CrowdStrike Intelligence Team, signaling a shift in attack strategies from the past. The report continues, “the reverse is also true: The cloud infrastructure is being used as a gateway to traditional endpoints.”
Once an endpoint has been compromised, attackers often go after the heart of a cybersecurity tech stack, starting with identities and privileged access credentials and removing account access. They often then move on to data destruction, resource deletion and service interruption or destruction.
Attackers are re-weaponizing and re-exploiting vulnerabilities, starting with CVE-2022-29464, which enables remote code execution and unrestricted file uploads. On the same day that the vulnerability affecting multiple WSO2 products was disclosed, the exploit code was publicly available. Adversaries were quick to capitalize on the opportunity.
Falcon OverWatch threat hunters began identifying multiple exploitation incidents in which adversaries employ infrastructure-oriented tactics, techniques and procedures (TTPs) consistent with China-nexus activity. The Falcon OverWatch team discovered that attackers are pivoting to using successful cloud breaches to identify and compromise traditional IT assets.
CrowdStrike doubles down on CNAPP
Competitive parity with attackers is elusive and short-lived in cloud security. All the leading cybersecurity providers are well aware of how fast attackers can innovate, from Palo Alto Networks saying how valuable attack data is to innovation to Mandiant’s founder and CEO warning that attackers will out-innovate a secure business by relentlessly studying it for months.
No sales call or executive presentation to a CISO is complete without a call for better cloud security posture management and a more practical approach to identity and access management (IAM), improved cloud infrastructure entitlement management (CIEM) and the chance to consolidate tech stacks while improving visibility and reducing costs.
Those factors and more drove CrowdStrike to fast-track the expansion of its cloud native application protection platform (CNAPP) in time for its Fal.Con customer event in 2022. The company is not alone here. Several leading cybersecurity vendors have taken on the ambitious goal of improving their CNAPP capabilities to keep pace with enterprises’ new complexity of multicloud configurations. Vendors with CNAPP on their roadmaps include Aqua Security, CrowdStrike, Lacework, Orca Security, Palo Alto Networks, Rapid7 and Trend Micro.
For CrowdStrike, the road ahead relies on an assortment of innovative tooling.
“One of the areas we’ve pioneered is that we can take weak signals from across different endpoints. And we can link these together to find novel detections,” CrowdStrike co-founder and CEO George Kurtz told the keynote audience at the company’s annual Fal.Con event last year.
“We’re now extending that to our third-party partners so that we can look at other weak signals across not only endpoints but across domains and come up with a novel detection,” he said.
What’s noteworthy about the development is how the CrowdStrike DevOps and engineering teams added new CNAPP capabilities for CrowdStrike Cloud Security while also including new CIEM features and the integration of CrowdStrike Asset Graph. Amol Kulkarni, chief product and engineering officer, told VentureBeat that CrowdStrike Asset Graph provides cloud asset visualization and explained how CIEM and CNAPP can help cybersecurity teams see and secure cloud identities and entitlements.
Kulkarni has set a goal of optimizing cloud implementations and performing real-time point queries for rapid response. That means combining Asset Graph with CIEM to enable broader analytical queries for asset management and security posture optimization. At a conference last year, he demonstrated how such tooling can provide complete visibility of attacks and automatically prevent threats in real time.
CrowdStrike’s key design goals included enforcing least-privileged access to clouds and providing continuous detection and remediation of identity threats. Scott Fanning, senior director of product management, cloud security at CrowdStrike, told VentureBeat that the goal is to prevent identity-based threats resulting from improperly configured cloud entitlements across multiple public cloud service providers.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.